SlideShare a Scribd company logo

ISO27001_COBIT_BSC_IT_Governance

Christopher OPARAUGO, MBA, CGEIT, CISM, CRISC
Christopher OPARAUGO, MBA, CGEIT, CISM, CRISC
1 of 16
Download to read offline
By Christopher Oparaugo, MBA, CGEIT, CRISC, CISM
The balanced scorecard (BSC) initially developed by Kaplan and Norton, is a performance management system that should allow enterprises to drive their strategies on measurement and follow- up. In recent years the BSC has been applied to information technology (IT) and currently I have developed the first real-life IT Security Governance application based on mapping ISO27001 control objectives to COBIT4.1 process areas and IT Governance focus areas. In this article, it is shown how an exercise in instituting controls can be used to establish the IT balanced scorecard (IT BSC) which can be linked to business balanced scorecard (BU BSC) and in so doing support the IT/Business governance and alignment processes as derived from mapping ISO27001 and COBIT4.1 controls.
Kaplan and Norton (1992, 1993, 1996a, 1996b) have introduced the balanced scorecard at the enterprise level. Their basic idea is that the evaluation of an organization should not be restricted to a traditional financial evaluation but should be supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. These additional measures should assure future financial results and drive the organization towards its strategic goals while keeping all four perspectives in balance. They proposed a three-layered structure for the four perspectives: mission (e.g., to become the customers’ most preferred supplier), objectives (e.g., to provide the customers with new products) and measures (e.g., percentage of turnover generated by new products). The balanced scorecard can be applied to the IT function and its processes as Gold (1992, 1994) and Willcocks (1995) have conceptually described and has been further developed by Van Grembergen and Van Bruggen (1997) and Van Grembergen and Timmerman (1998).
In this article, we illustrate how a cascade of scorecards can be instrumental in the development of IT/business governance processes and how this hierarchy of scorecards can support the alignment of business and IT strategy. The IT Development BSC and the IT Controls/Operational BSC are introduced as enablers for the Strategic BSC, that in turn is the enabler of the Business BSC. The governance is established through compliance to standards and control objectives.
Business BSC IT Strategy BSC IT Development BSC IT Controls/ Operation BSC
IT governance is part of corporate governance and has to provide the organizational structures to enable the creation of business value through IT, the assurance that there are no IT investments in bad projects and that there are adequate IT control mechanisms are established through compliance to the control objectives of COBIT and ISO27001. The methodology of the Balanced Scorecard is a measurement and management system that is very suitable for supporting the IT governance process and the IT/business alignment process. Business unit/individual key performance indicators (KPIs) can be developed from this exercise based on the understanding, implementation and institution of these control objectives with the compliance score as a criteria.
8
COBIT Compliance to future desired state
} Wim Van Grember presented at the European Conference on Information Systems (ECIS) in 1997 and 1998 and at the Information Resources Management Association (IRMA) Conferences in 1998, 1999 and 2000. He is Track Chair “IT Evaluation Methods and Management” for the 2000 IRMA conference. } Gold, C. “Total quality management in information services – IS measures: a balancing act,” Research Note. Ernst & Young Center for Information Technology and Strategy, Boston, 1992. } Gold, C. “US measures — a balancing act”, Ernst &Young Center for Business Innovation, Boston, 1994. } Kaplan, R. and Norton, D. “The balanced scorecard —measures that drive performance,” Harvard Business Review. January-February 1992, pp. 71-79. } Kaplan, R. and Norton, D. “Putting the balanced scorecard to work,” Harvard Business Review. September-October 1993, pp. 134-142. } Kaplan, R. and Norton, D. “Using the balanced scorecard as a strategic management system,” Harvard Business Review. January-February 1996a, pp. 75-85. } Kaplan, R. and Norton, D. “The balanced scorecard: translating vision into action,” Harvard Business School Press, Boston, 1996b. } Van Grembergen, W. and Timmerman, D.“Monitoring the IT process through the balanced scorecard,” Proceedings of the 9th Information Resources Management (IRMA) International Conference, Boston, May 1998, pp. 105-116. } Willcocks, L. Information Management. The evaluation of information systems investments. Chapman & Hall, London, 1995. } Oparaugo C. Conducted an ISO27001 self assessment for Zain Nigeria and developed a balanced scorecard through COBIT from the exercise. – December 2008

Recommended

Corporate performance management
Corporate performance managementCorporate performance management
Corporate performance managementJimricardo
 
Chapter 10
Chapter 10Chapter 10
Chapter 10Nhelgane Hablo
 
controlling information system
controlling information systemcontrolling information system
controlling information systemonearbaein
 
The Distinction Between Business Intelligence (BI) and Corporate Performance ...
The Distinction Between Business Intelligence (BI) and Corporate Performance ...The Distinction Between Business Intelligence (BI) and Corporate Performance ...
The Distinction Between Business Intelligence (BI) and Corporate Performance ...Mika Aho
 
Artificial intelligence bsc - iso 27001 information security
Artificial intelligence bsc - iso 27001 information securityArtificial intelligence bsc - iso 27001 information security
Artificial intelligence bsc - iso 27001 information securityUfuk Cebeci
 
14.balanced scorecard-case-study
14.balanced scorecard-case-study14.balanced scorecard-case-study
14.balanced scorecard-case-studyAlvaro Cesar Castro Alves
 
Implementation of iso 9000
Implementation of iso 9000Implementation of iso 9000
Implementation of iso 9000bernardarnault115
 
9 Measuring and Improving Corporate IT Performance through the Balanced Score...
9 Measuring and Improving Corporate IT Performance through the Balanced Score...9 Measuring and Improving Corporate IT Performance through the Balanced Score...
9 Measuring and Improving Corporate IT Performance through the Balanced Score...wirtaagustin2
 

Recommended

Corporate performance management
Corporate performance managementCorporate performance management
Corporate performance managementJimricardo
 
Chapter 10
Chapter 10Chapter 10
Chapter 10Nhelgane Hablo
 
controlling information system
controlling information systemcontrolling information system
controlling information systemonearbaein
 
The Distinction Between Business Intelligence (BI) and Corporate Performance ...
The Distinction Between Business Intelligence (BI) and Corporate Performance ...The Distinction Between Business Intelligence (BI) and Corporate Performance ...
The Distinction Between Business Intelligence (BI) and Corporate Performance ...Mika Aho
 
Artificial intelligence bsc - iso 27001 information security
Artificial intelligence bsc - iso 27001 information securityArtificial intelligence bsc - iso 27001 information security
Artificial intelligence bsc - iso 27001 information securityUfuk Cebeci
 
14.balanced scorecard-case-study
14.balanced scorecard-case-study14.balanced scorecard-case-study
14.balanced scorecard-case-studyAlvaro Cesar Castro Alves
 
Implementation of iso 9000
Implementation of iso 9000Implementation of iso 9000
Implementation of iso 9000bernardarnault115
 
9 Measuring and Improving Corporate IT Performance through the Balanced Score...
9 Measuring and Improving Corporate IT Performance through the Balanced Score...9 Measuring and Improving Corporate IT Performance through the Balanced Score...
9 Measuring and Improving Corporate IT Performance through the Balanced Score...wirtaagustin2
 
Enterprise architecture btechnd
Enterprise architecture btechndEnterprise architecture btechnd
Enterprise architecture btechndmark henry
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsMichael Sim
 
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...inventionjournals
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzahRizkie Hafizzah
 
Brief on Balanced Scorecard Concept
Brief on Balanced Scorecard ConceptBrief on Balanced Scorecard Concept
Brief on Balanced Scorecard ConceptA Ajaya Shankar Gupta
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
A New Model For Balanced Score Cards (BSC)
A New Model For Balanced Score Cards (BSC)A New Model For Balanced Score Cards (BSC)
A New Model For Balanced Score Cards (BSC)Amber Ford
 
Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Freelancer Training
 
Balanced Scorecard and Enterprise Systems
Balanced Scorecard and Enterprise SystemsBalanced Scorecard and Enterprise Systems
Balanced Scorecard and Enterprise SystemsDouglas Wardle
 
Business Performance Management Assessment Tools
Business Performance Management Assessment ToolsBusiness Performance Management Assessment Tools
Business Performance Management Assessment ToolsRachel Phillips
 
EA as a Change Management Agent
EA as a Change Management AgentEA as a Change Management Agent
EA as a Change Management AgentJerald Burget
 
Bpm overview
Bpm overviewBpm overview
Bpm overviewmasilamani ramasamy
 
jbptunikompp-gdl-sintyasuka-19565-8-pert8.ppt
jbptunikompp-gdl-sintyasuka-19565-8-pert8.pptjbptunikompp-gdl-sintyasuka-19565-8-pert8.ppt
jbptunikompp-gdl-sintyasuka-19565-8-pert8.pptLunaAnindyaHerlinaPu
 
Balanced scorecard
Balanced scorecardBalanced scorecard
Balanced scorecardbayorbornhs
 
Bsc theory
Bsc theoryBsc theory
Bsc theoryFranco Ferrario
 
Ssrn id2313780
Ssrn id2313780Ssrn id2313780
Ssrn id2313780Dr. Ahmed M. Al-Baidhani
 
A new model for balanced score cards (bsc)
A new model for balanced score cards (bsc)A new model for balanced score cards (bsc)
A new model for balanced score cards (bsc)Alexander Decker
 
Data Management Strategies
Data Management StrategiesData Management Strategies
Data Management StrategiesMicheal Axelsen
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
What is the Balanced Scorecard?
What is the Balanced Scorecard?What is the Balanced Scorecard?
What is the Balanced Scorecard?Pragnendra Rahevar
 

More Related Content

Similar to ISO27001_COBIT_BSC_IT_Governance

Enterprise architecture btechnd
Enterprise architecture btechndEnterprise architecture btechnd
Enterprise architecture btechndmark henry
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsMichael Sim
 
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...inventionjournals
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
A New Model For Balanced Score Cards (BSC)
A New Model For Balanced Score Cards (BSC)A New Model For Balanced Score Cards (BSC)
A New Model For Balanced Score Cards (BSC)Amber Ford
 
Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Freelancer Training
 
Balanced Scorecard and Enterprise Systems
Balanced Scorecard and Enterprise SystemsBalanced Scorecard and Enterprise Systems
Balanced Scorecard and Enterprise SystemsDouglas Wardle
 
Business Performance Management Assessment Tools
Business Performance Management Assessment ToolsBusiness Performance Management Assessment Tools
Business Performance Management Assessment ToolsRachel Phillips
 
EA as a Change Management Agent
EA as a Change Management AgentEA as a Change Management Agent
EA as a Change Management AgentJerald Burget
 
jbptunikompp-gdl-sintyasuka-19565-8-pert8.ppt
jbptunikompp-gdl-sintyasuka-19565-8-pert8.pptjbptunikompp-gdl-sintyasuka-19565-8-pert8.ppt
jbptunikompp-gdl-sintyasuka-19565-8-pert8.pptLunaAnindyaHerlinaPu
 
Balanced scorecard
Balanced scorecardBalanced scorecard
Balanced scorecardbayorbornhs
 
A new model for balanced score cards (bsc)
A new model for balanced score cards (bsc)A new model for balanced score cards (bsc)
A new model for balanced score cards (bsc)Alexander Decker
 
Data Management Strategies
Data Management StrategiesData Management Strategies
Data Management StrategiesMicheal Axelsen
 
What is the Balanced Scorecard?
What is the Balanced Scorecard?What is the Balanced Scorecard?
What is the Balanced Scorecard?Pragnendra Rahevar
 

Similar to ISO27001_COBIT_BSC_IT_Governance (20)

Enterprise architecture btechnd
Enterprise architecture btechndEnterprise architecture btechnd
Enterprise architecture btechnd
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced Scorecards
 
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...
The Role of Balanced Scorecard for Measuring Competitive Advantage of Contain...
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
 
Brief on Balanced Scorecard Concept
Brief on Balanced Scorecard ConceptBrief on Balanced Scorecard Concept
Brief on Balanced Scorecard Concept
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
A New Model For Balanced Score Cards (BSC)
A New Model For Balanced Score Cards (BSC)A New Model For Balanced Score Cards (BSC)
A New Model For Balanced Score Cards (BSC)
 
Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006Governance Tools Boyd Carter 2006
Governance Tools Boyd Carter 2006
 
Balanced Scorecard and Enterprise Systems
Balanced Scorecard and Enterprise SystemsBalanced Scorecard and Enterprise Systems
Balanced Scorecard and Enterprise Systems
 
Business Performance Management Assessment Tools
Business Performance Management Assessment ToolsBusiness Performance Management Assessment Tools
Business Performance Management Assessment Tools
 
EA as a Change Management Agent
EA as a Change Management AgentEA as a Change Management Agent
EA as a Change Management Agent
 
Bpm overview
Bpm overviewBpm overview
Bpm overview
 
jbptunikompp-gdl-sintyasuka-19565-8-pert8.ppt
jbptunikompp-gdl-sintyasuka-19565-8-pert8.pptjbptunikompp-gdl-sintyasuka-19565-8-pert8.ppt
jbptunikompp-gdl-sintyasuka-19565-8-pert8.ppt
 
Balanced scorecard
Balanced scorecardBalanced scorecard
Balanced scorecard
 
Bsc theory
Bsc theoryBsc theory
Bsc theory
 
Ssrn id2313780
Ssrn id2313780Ssrn id2313780
Ssrn id2313780
 
A new model for balanced score cards (bsc)
A new model for balanced score cards (bsc)A new model for balanced score cards (bsc)
A new model for balanced score cards (bsc)
 
Data Management Strategies
Data Management StrategiesData Management Strategies
Data Management Strategies
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007
 
What is the Balanced Scorecard?
What is the Balanced Scorecard?What is the Balanced Scorecard?
What is the Balanced Scorecard?
 

ISO27001_COBIT_BSC_IT_Governance

  • 1. By Christopher Oparaugo, MBA, CGEIT, CRISC, CISM
  • 2. The balanced scorecard (BSC) initially developed by Kaplan and Norton, is a performance management system that should allow enterprises to drive their strategies on measurement and follow- up. In recent years the BSC has been applied to information technology (IT) and currently I have developed the first real-life IT Security Governance application based on mapping ISO27001 control objectives to COBIT4.1 process areas and IT Governance focus areas. In this article, it is shown how an exercise in instituting controls can be used to establish the IT balanced scorecard (IT BSC) which can be linked to business balanced scorecard (BU BSC) and in so doing support the IT/Business governance and alignment processes as derived from mapping ISO27001 and COBIT4.1 controls.
  • 3. Kaplan and Norton (1992, 1993, 1996a, 1996b) have introduced the balanced scorecard at the enterprise level. Their basic idea is that the evaluation of an organization should not be restricted to a traditional financial evaluation but should be supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. These additional measures should assure future financial results and drive the organization towards its strategic goals while keeping all four perspectives in balance. They proposed a three-layered structure for the four perspectives: mission (e.g., to become the customers’ most preferred supplier), objectives (e.g., to provide the customers with new products) and measures (e.g., percentage of turnover generated by new products). The balanced scorecard can be applied to the IT function and its processes as Gold (1992, 1994) and Willcocks (1995) have conceptually described and has been further developed by Van Grembergen and Van Bruggen (1997) and Van Grembergen and Timmerman (1998).
  • 4. In this article, we illustrate how a cascade of scorecards can be instrumental in the development of IT/business governance processes and how this hierarchy of scorecards can support the alignment of business and IT strategy. The IT Development BSC and the IT Controls/Operational BSC are introduced as enablers for the Strategic BSC, that in turn is the enabler of the Business BSC. The governance is established through compliance to standards and control objectives.
  • 5. Business BSC IT Strategy BSC IT Development BSC IT Controls/ Operation BSC
  • 6. IT governance is part of corporate governance and has to provide the organizational structures to enable the creation of business value through IT, the assurance that there are no IT investments in bad projects and that there are adequate IT control mechanisms are established through compliance to the control objectives of COBIT and ISO27001. The methodology of the Balanced Scorecard is a measurement and management system that is very suitable for supporting the IT governance process and the IT/business alignment process. Business unit/individual key performance indicators (KPIs) can be developed from this exercise based on the understanding, implementation and institution of these control objectives with the compliance score as a criteria.
  • 7.
  • 8. 8
  • 9.
  • 10.
  • 11.
  • 12. COBIT Compliance to future desired state
  • 13.
  • 14.
  • 15.
  • 16. } Wim Van Grember presented at the European Conference on Information Systems (ECIS) in 1997 and 1998 and at the Information Resources Management Association (IRMA) Conferences in 1998, 1999 and 2000. He is Track Chair “IT Evaluation Methods and Management” for the 2000 IRMA conference. } Gold, C. “Total quality management in information services – IS measures: a balancing act,” Research Note. Ernst & Young Center for Information Technology and Strategy, Boston, 1992. } Gold, C. “US measures — a balancing act”, Ernst &Young Center for Business Innovation, Boston, 1994. } Kaplan, R. and Norton, D. “The balanced scorecard —measures that drive performance,” Harvard Business Review. January-February 1992, pp. 71-79. } Kaplan, R. and Norton, D. “Putting the balanced scorecard to work,” Harvard Business Review. September-October 1993, pp. 134-142. } Kaplan, R. and Norton, D. “Using the balanced scorecard as a strategic management system,” Harvard Business Review. January-February 1996a, pp. 75-85. } Kaplan, R. and Norton, D. “The balanced scorecard: translating vision into action,” Harvard Business School Press, Boston, 1996b. } Van Grembergen, W. and Timmerman, D.“Monitoring the IT process through the balanced scorecard,” Proceedings of the 9th Information Resources Management (IRMA) International Conference, Boston, May 1998, pp. 105-116. } Willcocks, L. Information Management. The evaluation of information systems investments. Chapman & Hall, London, 1995. } Oparaugo C. Conducted an ISO27001 self assessment for Zain Nigeria and developed a balanced scorecard through COBIT from the exercise. – December 2008